Subscribe to this blog

Subscribe

Demystifying Risk Management

When you speak to security professionals or the management in many organizations, most of them are of the opinion that security risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking and malware and nowadays data breach. Although these items are important to be considered, yet they are an extremely small part of the overall information security puzzle.

Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would the risk management be the same for both the organizations? The answer is NO which most of you would agree upon. Both the organizations would be vulnerable to certain threats which may threaten its business models. Every business exists to make money and security become only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats which are identified do not affect the bottom line. Hence, it is critical that security professionals understand threats faced by a company, but it is more important that they understand how to calculate the risk of these threats and map them to business drivers.

Let’s take up the two scenarios once again. In both the cases, there would be innumerable threats which these businesses will face. Should that business work on resolving every threat it faces? From a business standpoint, it can allot only a certain amount of money to resolve these threats. What security professionals need to understand that even if a company faces innumerable threats through a lot of vulnerabilities, they need to prioritize the risk arising out from these threats and resolve them with the limited budget available to them. In order to do so, every business will come up with an acceptable level of risk which it can withstand even it materializes.

Basis the above discussion, we can easily define risk management as:

Process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level.

We must ponder over two important facts here: management & maintaining. Management of the risk means identifying, resolving and then reviewing again and repeating this cycle again. A lot of security professionals confuse this with term Risk Assessment. Risk Assessment is only a part of the overall Risk Management cycle. Maintaining is another important aspect which a lot of companies get confused with. Risk Management should not be a “fit it forget it” approach and must be done on a periodic basis to ensure that the acceptable level of risk is maintained at all times. But what happens when a new risk comes up but does not affect the acceptable level of risk.

Imagine the business handling the nuclear reactor faces a new risk because a vulnerability has been discovered in an application which controls the cooling of the reactor. The vulnerability can be exploited by an attacker by manually logging into the system and running a specific command via the command prompt through an administrator access only.

What should a security professional do? The first step should be is to assess the change in the risk which has occurred in comparison to the acceptable level. To evaluate this, a risk assessment needs to be done which will help the professional understand what needs to be the future course of action. Many companies, however, do not evaluate the change in the risk levels and start focusing on patching the vulnerability itself which is a wrong approach. You may argue that a new vulnerability when detected may impact the company and hence needs to be patched anyway. So why not focus on patching it straight away? It ultimately boils down to the security budget and resources which you have at your disposal. If the security budget is tight and no resources are available and there is no change in the acceptable risk levels, it would be a good option to either postpone or prioritize the important issues at hand, rather than immediately focusing on patching the vulnerability.

Since every organization has a finite amount of money and an almost infinite number of vulnerabilities, properly ranking the most critical vulnerabilities to ensure that your company is maintaining the acceptable level of risk, is what risk management is all about. Carrying out risk management properly means that you have a holistic understanding of your organization, the threats it faces, the countermeasures that can be put into place to deal with those threats, and continuous monitoring to ensure the acceptable risk level is being met on an ongoing basis.

Reactions:

Get link

Facebook

Twitter

Pinterest

Email

Other Apps

Comments

You may also like to read...

You may read multiple posts on the various blogs and websites where you are given tips as to how to pass the exam in the first go, refer which books and solve which questions. In this blog post I’m not going to bombard you with those details. Instead, I’m going to share my journey and experience from preparing till passing the CISSP exam in the first attempt. What is CISSP? CISSP stands for Certified Information Systems Security Professional. Congratulations and all the very best to you, if you have decided to opt for the Gold Standard Certification. The exam is offered by ISC2 and contains around 250 questions. You have to book an appointment for the CISSP exam through the ISC2 website where you then redirected to a Pearson Vue website when you register for the exam. The exam costs around 599USD. Phase 1: Deciding It is very important for you to finalize which certification you want to do. Try to research the pros and cons of a certification. Do not just start preparing for a particular…

I wrote a blog post in the month of December where I detailed about the new CISSP CAT format being launched by the (ISC)2. The post gave details about the new exam – what would it be all about, what does the new exam mean for you and important points to consider. Well, since I had passed the exam way back in July, there was no way, I would decide to sit for this difficult exam again. Luckily, few of my friends gave the CISSP CAT exam and passed it, so I spoke to them to understand their experience with this new exam format and decided to write about it. So here it goes… The Study Material
The first question that comes to everyone’s mind is – Do I need to look for a new study material since the exam format has changed. The answer is NO. The CISSP study material remains the same. My friends referred to the following material, but this is not an exhaustive list in any way. My recommendation would be to stick to one particular book and get to know every word and line of it. It is extremel…

Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2. When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.
Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP?
You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are not graded, you need …

Popular Posts

You may read multiple posts on the various blogs and websites where you are given tips as to how to pass the exam in the first go, refer which books and solve which questions. In this blog post I’m not going to bombard you with those details. Instead, I’m going to share my journey and experience from preparing till passing the CISSP exam in the first attempt. What is CISSP? CISSP stands for Certified Information Systems Security Professional. Congratulations and all the very best to you, if you have decided to opt for the Gold Standard Certification. The exam is offered by ISC2 and contains around 250 questions. You have to book an appointment for the CISSP exam through the ISC2 website where you then redirected to a Pearson Vue website when you register for the exam. The exam costs around 599USD. Phase 1: Deciding It is very important for you to finalize which certification you want to do. Try to research the pros and cons of a certification. Do not just start preparing for a particular…

I wrote a blog post in the month of December where I detailed about the new CISSP CAT format being launched by the (ISC)2. The post gave details about the new exam – what would it be all about, what does the new exam mean for you and important points to consider. Well, since I had passed the exam way back in July, there was no way, I would decide to sit for this difficult exam again. Luckily, few of my friends gave the CISSP CAT exam and passed it, so I spoke to them to understand their experience with this new exam format and decided to write about it. So here it goes… The Study Material
The first question that comes to everyone’s mind is – Do I need to look for a new study material since the exam format has changed. The answer is NO. The CISSP study material remains the same. My friends referred to the following material, but this is not an exhaustive list in any way. My recommendation would be to stick to one particular book and get to know every word and line of it. It is extremel…

Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2. When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.
Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP?
You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are not graded, you need …

Disclaimer:

The views and opinions expressed herein are my own. They do NOT intend to represent the views or opinions of my employer or any other organization. Any information represented as fact are believed by me to be true, but I make no legal claim as to their certainty.